Unix, including DragonFly BSD is, as previously explained, a multi-user, multi-tasking system. It is therefore possible, and in fact very common, to have a situation where many users are logged on to one computer, and every one of these users is running many different jobs. Although only one user can physically sit at the computer and use the monitor, keyboard, and mouse connected thereto, others can get their work done by logging in through the network.

-

After reading this chapter, you will know:

-

* The differences between the various user accounts on a DragonFly system.

-

* How to add user accounts.

-

* How to remove user accounts.

-

* How to change account details, such as the user's full name, or preferred shell.

-

* How to set limits on a per-account basis, to control the resources such as memory and CPU time that accounts and groups of accounts are allowed to access.

-

* How to use groups to make account management easier.

-

-

Before reading this chapter, you should:

-

-

-

* Understand the basics of UNIX® and DragonFly ([Chapter 3](basics.html)).

-

-

## Introduction

-

-

All access to the system is achieved via accounts, and all processes are run by users, so user and account management are of integral importance on DragonFly systems.

-

-

Every account on a DragonFly system has certain information associated with it to identify the account.

-

-

* User name: The user name as it would be typed at the login: prompt. User names must be unique across the computer; you may not have two users with the same user name. There are a number of rules for creating valid user names, documented in [passwd(5)](http://leaf.dragonflybsd.org/cgi/web-man?command=passwd&section=5); you would typically use user names that consist of eight or fewer all lower case characters.Password:: Each account has a password associated with it. The password may be blank, in which case no password will be required to access the system. This is normally a very bad idea; every account should have a password.

* User ID (UID): The UID is a number, traditionally from 0 to 65535[(1)](#FTN.USERS-LARGEUIDGID), used to uniquely identify the user to the system. Internally, DragonFly uses the UID to identify users--any DragonFly commands that allow you to specify a user name will convert it to the UID before working with it. This means that you can have several accounts with different user names but the same UID. As far as DragonFly is concerned, these accounts are one user. It is unlikely you will ever need to do this.

@@ -73,88+50,38 @@ Every account on a DragonFly system has certain information associated with it t

* User shell: The shell provides the default environment users use to interact with the system. There are many different kinds of shells, and experienced users will have their own preferences, which can be reflected in their account settings.

-

-

There are three main types of accounts: the Superuser, system users and user accounts. The Superuser account, usually called `root`, is used to manage the system with no limitations on privileges. System users run services. Finally, user accounts are used by real people, who log on, read mail, and so forth.

-

-

## The Superuser Account

-

-

The superuser account, usually called `root`, comes preconfigured to facilitate system administration, and should not be used for day-to-day tasks like sending and receiving mail, general exploration of the system, or programming.

-

-

This is because the superuser, unlike normal user accounts, can operate without limits, and misuse of the superuser account may result in spectacular disasters. User accounts are unable to destroy the system by mistake, so it is generally best to use normal user accounts whenever possible, unless you especially need the extra privilege.

-

-

You should always double and triple-check commands you issue as the superuser, since an extra space or missing character can mean irreparable data loss.

-

-

So, the first thing you should do after reading this chapter is to create an unprivileged user account for yourself for general usage if you have not already. This applies equally whether you are running a multi-user or single-user machine. Later in this chapter, we discuss how to create additional accounts, and how to change between the normal user and superuser.

-

-

-

-

-

-

## System Accounts

-

-

System users are those used to run services such as DNS, mail, web servers, and so forth. The reason for this is security; if all services ran as the superuser, they could act without restriction.

-

-

Examples of system users are `daemon`, `operator`, `bind` (for the Domain Name Service), and `news`. Often sysadmins create `httpd` to run web servers they install.

-

-

`nobody` is the generic unprivileged system user. However, it is important to keep in mind that the more services that use `nobody`, the more files and processes that user will become associated with, and hence the more privileged that user becomes.

-

-

-

-

-

-

-

-

-

-

## User Accounts

-

-

User accounts are the primary means of access for real people to the system, and these accounts insulate the user and the environment, preventing the users from damaging the system or other users, and allowing users to customize their environment without affecting others.

-

-

Every person accessing your system should have a unique user account. This allows you to find out who is doing what, prevent people from clobbering each others' settings or reading each others' mail, and so forth.

-

-

Each user can set up their own environment to accommodate their use of the system, by using alternate shells, editors, key bindings, and language.

-

-

-

-

-

-

## Modifying Accounts

-

-

There are a variety of different commands available in the UNIX® environment to manipulate user accounts. The most common commands are summarized below, followed by more detailed examples of their usage.

-

-

[[!table data="""

Command | Summary

[adduser(8)](http://leaf.dragonflybsd.org/cgi/web-man?command=adduser&section=8) | The recommended command-line application for adding new users.

[adduser(8)](http://leaf.dragonflybsd.org/cgi/web-man?command=adduser&section=8) is a simple program for adding new users. It creates entries in the system `passwd` and `group` files. It will also create a home directory for the new user, copy in the default configuration files (***dotfiles***) from `/usr/share/skel`, and can optionally mail the new user a welcome message.

-

-

To create the initial configuration file, use `adduser -s -config_create`. Next, we configure [adduser(8)](http://leaf.dragonflybsd.org/cgi/web-man?command=adduser&section=8) defaults, and create our first user account, since using `root` for normal usage is evil and nasty.

In summary, we changed the default shell to **zsh** (an additional shell found in pkgsrc®), and turned off the sending of a welcome mail to added users. We then saved the configuration, created an account for `jru`, and made sure `jru` is in `wheel` group (so that she may assume the role of `root` with the [su(1)](http://leaf.dragonflybsd.org/cgi/web-man?command=su&section=1) command.)

-

**Note:** The password you type in is not echoed, nor are asterisks displayed. Make sure you do not mistype the password twice.

-

**Note:** Just use [adduser(8)](http://leaf.dragonflybsd.org/cgi/web-man?command=adduser&section=8) without arguments from now on, and you will not have to go through changing the defaults. If the program asks you to change the defaults, exit the program, and try the `-s` option.

-

-

### rmuser

-

-

You can use [rmuser(8)](http://leaf.dragonflybsd.org/cgi/web-man?command=rmuser&section=8) to completely remove a user from the system. [rmuser(8)](http://leaf.dragonflybsd.org/cgi/web-man?command=rmuser&section=8) performs the following steps:

1. Removes any [at(1)](http://leaf.dragonflybsd.org/cgi/web-man?command=at&section=1) jobs belonging to the user.

@@ -309,20+220,12 @@ You can use [rmuser(8)](http://leaf.dragonflybsd.org/cgi/web-man?command=rmuser&

**Note:** If a group becomes empty and the group name is the same as the username, the group is removed; this complements the per-user unique groups created by [adduser(8)](http://leaf.dragonflybsd.org/cgi/web-man?command=adduser&section=8).

-

-

[rmuser(8)](http://leaf.dragonflybsd.org/cgi/web-man?command=rmuser&section=8) cannot be used to remove superuser accounts, since that is almost always an indication of massive destruction.

-

-

By default, an interactive mode is used, which attempts to make sure you know what you are doing.

-

-

**Example 8-2. `rmuser` Interactive Account Removal**

-

-

# rmuser jru

@@ -349,28+252,16 @@ By default, an interactive mode is used, which attempts to make sure you know wh

Only system administrators, as the superuser, may change other users' information and passwords with [chpass(1)](http://leaf.dragonflybsd.org/cgi/web-man?command=chpass&section=1).

-

When passed no options, aside from an optional username, [chpass(1)](http://leaf.dragonflybsd.org/cgi/web-man?command=chpass&section=1) displays an editor containing user information. When the user exists from the editor, the user database is updated with the new information.

-

-

***'Example 8-3. Interactive `chpass` by Superuser***'

-

-

#Changing user database information for jru.

@@ -403,14+294,8 @@ When passed no options, aside from an optional username, [chpass(1)](http://leaf

Other information:

-

-

-

-

The normal user can change only a small subset of this information, and only for themselves.

-

-

**Example 8-4. Interactive chpass by Normal User**

@@ -429,30+314,16 @@ The normal user can change only a small subset of this information, and only for

Other information:

-

-

-

-

**Note:** [chfn(1)](http://leaf.dragonflybsd.org/cgi/web-man?command=chfn&section=1) and [chsh(1)](http://leaf.dragonflybsd.org/cgi/web-man?command=chsh&section=1) are just links to [chpass(1)](http://leaf.dragonflybsd.org/cgi/web-man?command=chpass&section=1), as are [ypchpass(1)](http://leaf.dragonflybsd.org/cgi/web-man?command=ypchpass&section=1), [ypchfn(1)](http://leaf.dragonflybsd.org/cgi/web-man?command=ypchfn&section=1), and [ypchsh(1)](http://leaf.dragonflybsd.org/cgi/web-man?command=ypchsh&section=1). NIS support is automatic, so specifying the `yp` before the command is not necessary. If this is confusing to you, do not worry, NIS will be covered in [advanced-networking.html Chapter 19].

-

-

### passwd

-

-

[passwd(1)](http://leaf.dragonflybsd.org/cgi/web-man?command=passwd&section=1) is the usual way to change your own password as a user, or another user's password as the superuser.

-

-

**Note:** To prevent accidental or unauthorized changes, the original password must be entered before a new password can be set.

-

-

**Example 8-5. Changing Your Password**

-

-

% passwd

@@ -469,14+340,8 @@ The normal user can change only a small subset of this information, and only for

passwd: done

-

-

-

-

***'Example 8-6. Changing Another User's Password as the Superuser***'

-

-

# passwd jru

@@ -491,146+356,81 @@ The normal user can change only a small subset of this information, and only for

passwd: done

-

-

-

-

**Note:** As with [chpass(1)](http://leaf.dragonflybsd.org/cgi/web-man?command=chpass&section=1), [yppasswd(1)](http://leaf.dragonflybsd.org/cgi/web-man?command=yppasswd&section=1) is just a link to [passwd(1)](http://leaf.dragonflybsd.org/cgi/web-man?command=passwd&section=1), so NIS works with either command.

-

-

### pw

-

-

[pw(8)](http://leaf.dragonflybsd.org/cgi/web-man?command=pw&section=8) is a command line utility to create, remove, modify, and display users and groups. It functions as a front end to the system user and group files. [pw(8)](http://leaf.dragonflybsd.org/cgi/web-man?command=pw&section=8) has a very powerful set of command line options that make it suitable for use in shell scripts, but new users may find it more complicated than the other commands presented here.

-

-

#### Notes

-

-

[[!table data="""

<tablestyle#"width:100%"> The `-s` makes [adduser(8)](http://leaf.dragonflybsd.org/cgi/web-man?command=adduser&section=8) default to quiet. We use `-v` later when we want to change defaults. |

| |

"""]]

-

## Limiting Users

<!-- XXX: check this section, I got the feeling there might be something outdated in it. I'm not familiar with it -->

If you have users, the ability to limit their system use may have come to mind. DragonFly provides several ways an administrator can limit the amount of system resources an individual may use. These limits are divided into two sections: disk quotas, and other resource limits.

-

-

Disk quotas limit disk usage to users, and they provide a way to quickly check that usage without calculating it every time. Quotas are discussed in [quotas.html Section 12.12].

-

-

The other resource limits include ways to limit the amount of CPU, memory, and other resources a user may consume. These are defined using login classes and are discussed here.

-

-

Login classes are defined in `/etc/login.conf`. The precise semantics are beyond the scope of this section, but are described in detail in the [login.conf(5)](http://leaf.dragonflybsd.org/cgi/web-man?command=login.conf&section=5) manual page. It is sufficient to say that each user is assigned to a login class (`default` by default), and that each login class has a set of login capabilities associated with it. A login capability is a `name=value` pair, where `name` is a well-known identifier and `value` is an arbitrary string processed accordingly depending on the name. Setting up login classes and capabilities is rather straight-forward and is also described in [login.conf(5)](http://leaf.dragonflybsd.org/cgi/web-man?command=login.conf&section=5).

-

-

Resource limits are different from plain vanilla login capabilities in two ways. First, for every limit, there is a soft (current) and hard limit. A soft limit may be adjusted by the user or application, but may be no higher than the hard limit. The latter may be lowered by the user, but never raised. Second, most resource limits apply per process to a specific user, not the user as a whole. Note, however, that these differences are mandated by the specific handling of the limits, not by the implementation of the login capability framework (i.e., they are not ***really*** a special case of login capabilities).

-

-

And so, without further ado, below are the most commonly used resource limits (the rest, along with all the other login capabilities, may be found in [login.conf(5)](http://leaf.dragonflybsd.org/cgi/web-man?command=login.conf&section=5)).

-

-

-

* `coredumpsize`: The limit on the size of a core file generated by a program is, for obvious reasons, subordinate to other limits on disk usage (e.g., `filesize`, or disk quotas). Nevertheless, it is often used as a less-severe method of controlling disk space consumption: since users do not generate core files themselves, and often do not delete them, setting this may save them from running out of disk space should a large program (e.g., **emacs** ) crash.

-

* `cputime`: This is the maximum amount of CPU time a user's process may consume. Offending processes will be killed by the kernel.

**Note:** This is a limit on CPU ***time*** consumed, not percentage of the CPU as displayed in some fields by [top(1)](http://leaf.dragonflybsd.org/cgi/web-man?command=top&section=1) and [ps(1)](http://leaf.dragonflybsd.org/cgi/web-man?command=ps&section=1). A limit on the latter is, at the time of this writing, not possible, and would be rather useless: legitimate use of a compiler, for instance, can easily use almost 100% of a CPU for some time.

-

* `filesize`: This is the maximum size of a file the user may possess. Unlike [quotas.html disk quotas], this limit is enforced on individual files, not the set of all files a user owns.

-

* `maxproc`: This is the maximum number of processes a user may be running. This includes foreground and background processes alike. For obvious reasons, this may not be larger than the system limit specified by the `kern.maxproc` [sysctl(8)](http://leaf.dragonflybsd.org/cgi/web-man?command=sysctl&section=8). Also note that setting this too small may hinder a user's productivity: it is often useful to be logged in multiple times or execute pipelines. Some tasks, such as compiling a large program, also spawn multiple processes (e.g., [make(1)](http://leaf.dragonflybsd.org/cgi/web-man?command=make&section=1), [cc(1)](http://leaf.dragonflybsd.org/cgi/web-man?command=cc&section=1), and other intermediate preprocessors).

-

* `memorylocked`: This is the maximum amount a memory a process may have requested to be locked into main memory (e.g., see [mlock(2)](http://leaf.dragonflybsd.org/cgi/web-man?command=mlock&section2)). Some system-critical programs, such as [amd(8)](http://leaf.dragonflybsd.org/cgi/web-man?command=amd&section=8), lock into main memory such that in the event of being swapped out, they do not contribute to a system's trashing in time of trouble.

-

* `memoryuse`: This is the maximum amount of memory a process may consume at any given time. It includes both core memory and swap usage. This is not a catch-all limit for restricting memory consumption, but it is a good start.

-

* `openfiles`: This is the maximum amount of files a process may have open. In DragonFly, files are also used to represent sockets and IPC channels; thus, be careful not to set this too low. The system-wide limit for this is defined by the `kern.maxfiles` [sysctl(8)](http://leaf.dragonflybsd.org/cgi/web-man?command=sysctl&section=8).

-

* `sbsize`: This is the limit on the amount of network memory, and thus mbufs, a user may consume. This originated as a response to an old DoS attack by creating a lot of sockets, but can be generally used to limit network communications.

-

* `stacksize`: This is the maximum size a process' stack may grow to. This alone is not sufficient to limit the amount of memory a program may use; consequently, it should be used in conjunction with other limits.

-

-

There are a few other things to remember when setting resource limits. Following are some general tips, suggestions, and miscellaneous comments.

-

-

-

* Processes started at system startup by `/etc/rc` are assigned to the `daemon` login class.

-

* Although the `/etc/login.conf` that comes with the system is a good source of reasonable values for most limits, only you, the administrator, can know what is appropriate for your system. Setting a limit too high may open your system up to abuse, while setting it too low may put a strain on productivity.

-

* Users of the X Window System (X11) should probably be granted more resources than other users. X11 by itself takes a lot of resources, but it also encourages users to run more programs simultaneously.

-

* Remember that many limits apply to individual processes, not the user as a whole. For example, setting `openfiles` to 50 means that each process the user runs may open up to 50 files. Thus, the gross amount of files a user may open is the value of `openfiles` multiplied by the value of `maxproc`. This also applies to memory consumption.

-

-

For further information on resource limits and login classes and capabilities in general, please consult the relevant manual pages: [cap_mkdb(1)](http://leaf.dragonflybsd.org/cgi/web-man?command#cap_mkdb&section1), [getrlimit(2)](http://leaf.dragonflybsd.org/cgi/web-man?command=getrlimit&section=2), [login.conf(5)](http://leaf.dragonflybsd.org/cgi/web-man?command=login.conf&section=5).

-

-

-

-

-

-

-

## Personalizing Users

-

-

Localization is an environment set up by the system administrator or user to accommodate different languages, character sets, date and time standards, and so on. This is discussed in [this chapter](l10n.html).

-

-

## Groups

-

-

A group is simply a list of users. Groups are identified by their group name and GID (Group ID). In DragonFly (and most other UNIX® like systems), the two factors the kernel uses to decide whether a process is allowed to do something is its user ID and list of groups it belongs to. Unlike a user ID, a process has a list of groups associated with it. You may hear some things refer to the ***group ID*** of a user or process; most of the time, this just means the first group in the list.

-

-

The group name to group ID map is in `/etc/group`. This is a plain text file with four colon-delimited fields. The first field is the group name, the second is the encrypted password, the third the group ID, and the fourth the comma-delimited list of members. It can safely be edited by hand (assuming, of course, that you do not make any syntax errors!). For a more complete description of the syntax, see the [group(5)](http://leaf.dragonflybsd.org/cgi/web-man?command#group&section5) manual page.

-

-

If you do not want to edit `/etc/group` manually, you can use the [pw(8)](http://leaf.dragonflybsd.org/cgi/web-man?command#pw&section8) command to add and edit groups. For example, to add a group called `teamtwo` and then confirm that it exists you can use:

-

-

**Example 8-7. Adding a Group Using pw(8)**

-

-

# pw groupadd teamtwo

@@ -639,18+439,10 @@ If you do not want to edit `/etc/group` manually, you can use the [pw(8)](http:/

teamtwo:*:1100:

-

-

-

-

The number `1100` above is the group ID of the group `teamtwo`. Right now, `teamtwo` has no members, and is thus rather useless. Let's change that by inviting `jru` to the `teamtwo` group.

-

-

**Example 8-8. Adding Somebody to a Group Using pw(8)**

-

-

# pw groupmod teamtwo -M jru

@@ -659,51+451,32 @@ The number `1100` above is the group ID of the group `teamtwo`. Right now, `team

teamtwo:*:1100:jru

-

-

-

-

The argument to the `-M` option is a comma-delimited list of users who are members of the group. From the preceding sections, we know that the password file also contains a group for each user. The latter (the user) is automatically added to the group list by the system; the user will not show up as a member when using the `groupshow` command to [pw(8)](http://leaf.dragonflybsd.org/cgi/web-man?command#pw&section8), but will show up when the information is queried via [id(1)](http://leaf.dragonflybsd.org/cgi/web-man?command=id&section=1) or similar tool. In other words, [pw(8)](http://leaf.dragonflybsd.org/cgi/web-man?command=pw&section=8) only manipulates the `/etc/group` file; it will never attempt to read additionally data from `/etc/passwd`.

-

-

**Example 8-9. Using id(1) to Determine Group Membership**

-

-

% id jru

uid#1001(jru) gid1001(jru) groups=1001(jru), 1100(teamtwo)

-

-

-

-

As you can see, `jru` is a member of the groups `jru` and `teamtwo`.

-

-

For more information about [pw(8)](http://leaf.dragonflybsd.org/cgi/web-man?command#pw&section8), see its manual page, and for more information on the format of `/etc/group`, consult the [group(5)](http://leaf.dragonflybsd.org/cgi/web-man?command=group&section=5) manual page.

-

-

-

#SSH Server on DragonFly

The best way to log in to a Unix machine across the network is with a program known as ssh.

If you try to ssh to a newly installed dfly from another system you will get this error

-

$ ssh root@172.16.50.62

ssh: connect to host 172.16.50.62 port 22: Connection refused

This is because sshd is not up and running on dfly.

At this point if you check /etc/ssh you will only have the following files

-

# ls /etc/ssh

blacklist.DSA-1024 blacklist.RSA-2048 ssh_config

blacklist.DSA-2048 blacklist.RSA-4096 sshd_config

@@ -719,7+492,6 @@ When you start sshd for the first time it is best to start it through the <b>"/e

2) Start the sshd server using the rc script

-

# /etc/rc.d/sshd start

Generating public/private rsa1 key pair.

Your identification has been saved in /etc/ssh/ssh_host_key.

@@ -735,7+507,6 @@ When you start sshd for the first time it is best to start it through the <b>"/e

Now if you go back and look in /etc/ssh you will find the SSH host key files too.

-

# ls /etc/ssh

blacklist.DSA-1024 moduli ssh_host_key.pub

blacklist.DSA-2048 ssh_config ssh_host_rsa_key

@@ -743,10+514,8 @@ Now if you go back and look in /etc/ssh you will find the SSH host key files too

blacklist.RSA-2048 ssh_host_dsa_key.pub sshd_config

blacklist.RSA-4096 ssh_host_key

-

At this point if you try to ssh to the dfly you will get the following error

-

$ ssh sgeorge@172.16.50.62

The authenticity of host '172.16.50.62 (172.16.50.62)' can't be established.

** It is not advisable to allow Root Login with password especially if your System is connected to the Internet unless you use Very Strong Passwords. You could be a victim of [ssh password based brute force attacks](http://en.wikipedia.org/wiki/Password_cracking#Brute_force_attack). If you are victim of one such attack you can find entries like the following in your** ****"/var/log/auth.log file"****.

@@ -866,14+627,12 @@ This document is very detailed so that a new user can be familiar with the envir

If you try to ssh to a newly installed dfly from another system you will get this error

-

$ ssh root@172.16.50.62

ssh: connect to host 172.16.50.62 port 22: Connection refused

This is because sshd is not up and running on dfly.

At this point if you check /etc/ssh you will only have the following files

-

# ls /etc/ssh

blacklist.DSA-1024 blacklist.RSA-2048 ssh_config

blacklist.DSA-2048 blacklist.RSA-4096 sshd_config

@@ -889,7+648,6 @@ When you start sshd for the first time it is best to start it through the <b>"/e

2) Start the sshd server using the rc script

-

# /etc/rc.d/sshd start

Generating public/private rsa1 key pair.

Your identification has been saved in /etc/ssh/ssh_host_key.

@@ -905,7+663,6 @@ When you start sshd for the first time it is best to start it through the <b>"/e

Now if you go back and look in /etc/ssh you will find the SSH host key files too.

-

# ls /etc/ssh

blacklist.DSA-1024 moduli ssh_host_key.pub

blacklist.DSA-2048 ssh_config ssh_host_rsa_key

@@ -913,10+670,8 @@ Now if you go back and look in /etc/ssh you will find the SSH host key files too

blacklist.RSA-2048 ssh_host_dsa_key.pub sshd_config

blacklist.RSA-4096 ssh_host_key

-

At this point if you try to ssh to the dfly you will get the following error

-

$ ssh sgeorge@172.16.50.62

The authenticity of host '172.16.50.62 (172.16.50.62)' can't be established.

** It is not advisable to allow Root Login with password especially if your System is connected to the Internet unless you use Very Strong Passwords. You could be a victim of [ssh password based brute force attacks](http://en.wikipedia.org/wiki/Password_cracking#Brute_force_attack). If you are victim of one such attack you can find entries like the following in your** ****"/var/log/auth.log file"****.